Are Poor Passwords the Weak Link in Your Business?
Passwords are designed to authenticate users and prevent unauthorized access to digital devices and online accounts. However, relying on weak codes and softball security questions — or neglecting to use passwords at all — threatens the security and privacy of your company’s data and customer information.
“Although small businesses don’t make the headlines, a recent report shows nearly 20 percent of cyber attacks are on small firms with less than 250 employees,” noted Chris Collins, chairman of the House Subcommittee on Health and Technology [PDF], during a March 21 House Committee on Small Business meeting to discuss ways to protect small enterprises from cyber attacks.
“The same report shows 77 percent of small firms believe their company is safe from a cyber attack — even though 87 percent of those firms do not have a written security policy in place. There is clearly a gap in education and resources. Moreover, the sophistication and scope of these attacks continue to grow at a rapid pace.”
Here are a few major pitfalls to avoid, plus a variety of tips for putting an effective digital security system in place.
Guessable Security Questions
One problem occurs when companies offer security questions (used for password resets in the event that a password is forgotten) that people other than the intended user can easily guess the answers to. Microsoft’s landmark password-security survey [PDF] in 2009 revealed that 17 percent of users’ acquaintances could correctly guess the answers to the security questions; 13 percent of the answers could be figured out within five attempts by trying the most popular responses.
Security questions such as “What color are your eyes?” and “What is your blood type?” have a very limited number of possible answers — and the most common choices narrow the those fields to four (brown, hazel, green, and blue and O, A, B, and AB, respectively).
Two years later, one of the most significant password breaches of 2011 occurred when hackers accessed the servers of Stratfor, a defense intelligence agency. The breach, detailed in Security Week, reveals that hackers stole personal and financial information of the company’s subscribers, including 860,000 email addresses and passwords and 60,000 credit card records. The list included prominent security experts and industry analysts, as well as employees from Cisco, IBM, and Microsoft.
And according to Forbes, some of the passwords included such simple creations as “satellite 1,” “Chicago,” “chance10,” and the ever-popular “password.” The incident resulted in more than $700,000 in fraudulent charges.
However, Nick Selby, a law-enforcement security analyst and one of the hacked subscribers, notes that weak passwords were not to blame in this instance. “Stratfor spent no time or energy on its information security, were bad stewards of my data, and broke industry standards and guidelines as to the protection of specific data such as passwords, credit card numbers, and personally identifiable information of its members,” Selby asserts. “...That has nothing to do with my password strength.”
In the 2012 Wired article “How Apple and Amazon Security Flaws Led to My Epic Hacking,” writer Mat Honan says that when hackers tried to access his Apple account, they were unable to answer any of his security questions.
However, Apple issued them a temporary password after they produced Honan’s mailing address and the last four numbers of his credit card — two pieces of information that he says are relatively easy to find.
Once they’d gained access to Honan’s Me.com email account, they deleted it and then proceeded to delete his iPad and iPhone accounts, remotely wipe his MacBook, and use his Twitter account to broadcast offensive remarks.
So, what have companies learned from these breaches? Apparently, not much. When Verizon Enterprises released its 2012 Data Breach Investigations Report, it revealed the following:
- 96 percent of attacks were not highly difficult;
- 94 percent of all data compromised involved servers;
- 85 percent of breaches took at least two weeks to discover;
- 92 percent of breaches were discovered by a third party; and
- 97 percent of breaches were avoidable through simple or intermediate controls.
What can small-business owners do to limit the probability of a breach? The Microsoft Small Business Center offers the following tips:
- Don’t leave passwords blank.
- Don’t use all letters or all numbers; names of kids, spouses, pets, etc.; personal social security numbers or birth dates; or words (English or foreign) that can be found in a dictionary.
- Make passwords at least eight characters long and mix letters, numbers, and symbols: for example, instead of the word, “password,” use “p@7sw)rd!”
- Whenever an employee needs to share a password with a co-worker, ask them to change it immediately.
Verizon’s report offers several additional safety measures:
- Change default passwords of POS (point of sale) systems and other devices used to connect to the internet.
- Don’t allow employees to use POS systems to browse the web.
- Make sure your POS systems are Payment Card Industry Data Security Standard (PCI DSS) compliant.
Also, be sure to use good security questions to create logins and reset and retrieve passwords. According to GoodSecurityQuestions.com, you should not let users write their own security questions because you can’t control the complexity of their choices. Instead, your company website should provide a list of questions they may choose from.
Examples of better security questions include:
- What is the middle name of your oldest child?
- What school did you attend for sixth grade?
- What is your oldest sibling’s birth date?
- What was the first name of your third-grade teacher?
Cyber-criminals are committed to hacking personal and business data. Small businesses should be just as committed to effective password management.
Terri Williams is a business writer for Intuit and is passionate about solving small business problems.